Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007) Tracking Darkports for Network Defense Miami Beach, Florida, USA December 10-December 14 ISBN: 0-7695-3060-5
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ACSAC.2007.38
We exploit for defensive purposes the concept of darkports ? the unused ports on active systems. We are particularly in- terested in such ports which transition to become active (i.e. become trans-darkports). Darkports are identified by pas- sively observing and characterizing the connectivity behav- ior of internal hosts in a network as they respond to both le- gitimate connection attempts and scanning attempts. Dark- ports can be used to detect sophisticated scanning activity, enable fine-grained automated defense against automated malware attacks, and detect real-time changes in a network that may indicate a successful compromise. We show, in a direct comparison with Snort, that darkports offer a better scanning detection capability with fewer false positives and negatives. Our results also show that the network awareness gained by the use of darkports enables active response op- tions to be safely focused exclusively on those systems that directly threaten the network.
Citation:
David Whyte, Paul C. van Oorschot, Evangelos Kranakis, "Tracking Darkports for Network Defense," acsac, pp.161-171, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007 Usage of this product signifies your acceptance of the Terms of Use. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb